Skip to main content

Sertifi Support Site

Single Sign-on (SSO)

Note

Sertifi supports SSO using the SAML 2.0 protocol. This is supported by most identity providers, including Okta, Azure, Active Directory Federation Services, and OneLogin.

You can enable single sign-On (SSO) for your Sertifi portals. By enabling SSO, all admins must log into their portal using your organization's enterprise authentication system.

SSO Considerations for Existing Sertifi Customers

There are two key considerations if you want to enable SSO for your Sertifi portals:

  • If your users have existing Sertifi profiles, they can log in with SSO, and Sertifi will pair an existing Sertifi profile to the email address they use to log in. However, this assumes that your user's log in email address is the exact same email address as what they use to log into your system.

  • If SSO is configured and enabled, your user's log in process will accordingly change. Rather than using their originally created username and password, they will have to click Log in with Enterprise ID when logging into the portal.

User Provisioning

Sertifi allows for two different approaches to SSO provisioning: just-in-time (JIT) provisioning or ahead-of-time (AOT) provisioning.

AOT Provisioning

AOT provisioning is the option to give users (who do not have an existing Sertifi profile) full Admin or higher access from their initial log in. Sertifi can create profiles for these users that are tied to the users' IDs in your system. To do this, you must provide Sertifi with:

  • The user's email addresses

  • The user's system IDs

  • The user's assigned roles (User, Admin, etc)

Alternatively, the Super Admin can also create the profiles via the Create Admin page in the portal, so when the users log in with SSO for the first time, they're already associated with the correct profile.

JIT Provisioning

Sertifi also offers JIT provisioning functionality. When a new user logs in with SSO, our system will create a Sertifi profile using the provided email address, first name, and last name. This profile is then tied to the user's ID for future logins.

However, this profile only receives user-level access initially, which means that the user cannot send documents. The Super Admin for the portal will need to update the user to have Admin access using the Create Admin page in the portal.

Users with multiple portal access

In some cases, a user might have Admin or higher access to multiple Sertifi portals. When the user logs in with SSO, the user can access each portal for which they have Admin-level access via a dropdown in the top right side of the portal, next to their username.

However, if the user doesn't have Admin–level access or higher, you have the option for those users be automatically redirected to the portals they can access. Provide the account you want to serve as the landing page for these users to your Client Success Manager.